You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/06/18 15:00:05 UTC
[Bug 62469] New: AuthzProviderAlias ignoring all Require-Parameters
except first one
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
Bug ID: 62469
Summary: AuthzProviderAlias ignoring all Require-Parameters
except first one
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: hwibell@gmail.com
Target Milestone: ---
AuthzProviderAlias only accepts the first Require-Parameter even if more were
provided.
A contrived example where this could be an issue is if a user had defined a
list of blacklisted IPs, such as the following:
<AuthzProviderAlias ip blacklisted-ips XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY>
</AuthzProviderAlias>
<Directory "/home/hwibell/2.4.x/built/htdocs/test">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
In the above example, clients with the IP XXX.XXX.XXX.XXX would be correctly
denied access to anything in `/test` while clients from YYY.YYY.YYY.YYY would
be able to access it when they shouldn't.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
Hank Ibell <hw...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--- Comment #4 from Christophe JAILLET <ch...@wanadoo.fr> ---
Message added in doc.
Warning log message also added if such a case is detected at run-time.
See r1834209.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
--- Comment #3 from Hank Ibell <hw...@gmail.com> ---
@Christophe You are right: quoting the Require-Parameters works, and the patch
would break such configurations.
I think ditching the patch and adding a note to the doc makes sense. Thanks for
catching that. :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Christophe JAILLET <ch...@wanadoo.fr> ---
Backported in r1834843.
Will be part of 2.4.34.
Thx Hank for the report.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
--- Comment #1 from Hank Ibell <hw...@gmail.com> ---
Created attachment 35971
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35971&action=edit
Proposed patch for trunk
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62469] AuthzProviderAlias ignoring all Require-Parameters
except first one
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62469
--- Comment #2 from Christophe JAILLET <ch...@wanadoo.fr> ---
Hmm,
I think that the proposed patch would break configuration like:
<AuthzProviderAlias ip blacklisted-ips "XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY">
</AuthzProviderAlias>
Not sure if such configuration is used, but it would be a workaround to the
issue you have spotted.
Would it be enough to just explain in the doc that if several
Require-Parameters are needed, they have to be put between some "?
https://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#authzprovideralias
Otherwise, your patch should be improved to remove the ", if and only if it is
found at the start and at the end of the 'Require-Parameters' string.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org